Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)
BY eSentire Threat Response Unit (TRU)
January 31, 2023 | 7 MINS READ
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
IcedID first emerged in 2017 as a capable, widely observed banking trojan. Beginning in 2020, IcedID was identified as a precursor to ransomware attacks such as Egregor, Maze and Conti and has historically utilized email as its delivery vector.
In December 2022, TRU began observing IcedID infections that were traced to payloads downloaded by users from the Internet. This observation coincided with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023 (Figure 1).
The activity in Q4 2022 was a mixture of email and drive-by infections. However, since mid-late December 2022, observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Malicious Google Search Ads are nothing new, but TRU has observed an increase in their use to deliver information stealing malware and IcedID in 2022 and 2023. For IcedID specifically, TRU has observed malicious ads targeting applications such as Slack, Docker, TeamViewer, Microsoft Teams, Basecamp and Adobe Reader (among others), as seen in Figure 2.
Search ads utilize the auction-based Pay-Per-Click (PPC) model. Advertisers can enter a maximum bid for certain search keywords to display their ad so long as their bid is more than another advertiser’s bid. Additionally, Ads Keyword Planner, a free tool, provides an estimate for top of page bids where an advertiser can ensure their ad is shown at the top of the search results for specific keywords (usually at a premium).
For example, as of January 2023, one would need to place a maximum bid of $4.30 per click to have an ad displayed at the top of a search for “slack download”. Therefore, a top of page ad bid for 1000 clicks could cost between $1330 and $4300 USD. This cost is unlikely to be a significant barrier to threat actors who are likely using stolen payment data.
Abusing search ads also provides some degree of curation in terms of ideal targets. This is reflected by both the keywords targeted (primarily software used in corporate environments) and audience segments, which includes detailed demographics, interests, intents and other attributes estimated by Google (Figure 3).
Google does use a review process for new ads to ensure compliance with their ad policy, including malicious software. It’s not immediately clear how threat actors are circumventing these compliance checks.
Cloaking is a common tactic used to hide malicious content from all but the intended victim. An example of traffic redirection can be seen in Figure 2 above, where slackapp[.]tech is the ad link, but the final content is hosted on wvwslack[.]top. Another example can be seen in Figures 4 and 5 below, where a download page impersonating Docker leads to the legitimate Docker binary. However, in a subsequent review, the page leads to an IcedID payload host on Google FireBase storage.
In mid-January 2023, a customer endpoint became infected with IcedID originating from a website masquerading as Adobe Reader. The victim arrived on the website (vwv-adobe[.]top) from clicking a Google Search Ad for Adobe software (Figure 6).
The setup file (6718a804f5d5064fa3b918d844fd727d) is padded to inflate its size to over 700MB to inhibit automated inspection. When executed, IcedID executes an initial round of reconnaissance commands and initiates a check-in with the C2 (qsertopinajil[.]com), as seen in Figure 7.
The living-off-the-land reconnaissance commands used are not indifferent than what TRU has observed with malware whose objective is delivering footholds to hands-on-keyboard adversaries. The output from these commands provides a quick summary of the foothold’s worth and is likely used to triage and prioritize the most valuable footholds.
WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List ipconfig /all systeminfo net config workstation nltest /domain_trusts nltest /domain_trusts /all_trusts net view /all /domain net view /all net group "Domain Admins" /domain
Within 30 minutes, IcedID attempted to execute a PowerShell script (ozye.txt) using fodhelper.exe to bypass UAC but was blocked from doing so.
Our team of 24/7 SOC Cyber Analysts retrieved the PowerShell script from the system and determined it contained a Cobalt Strike Beacon loader (f36c8d12db66730f3cf94d28331b90ac) configured to spawn and inject into a child PowerShell process. The beacon was configured to communicate with poasnm[.]com using HTTP and spawn using regsvr32.exe.
Our SOC identified suspicious reconnaissance activity on a customer endpoint and immediately notified the customer while an investigation took place. The case was escalated when the blocked Cobalt Strike activity occurred and the system was immediately contained.
General Guidance for Users:
Guidance for IT:
Indicator | Note |
www-goto-com[.]top | IcedID Download Page |
www-onenote-us[.]top | |
www-fortinet-com[.]top | |
www-irsform-com[.]top | |
www-discord-us[.]top | |
ww-citrixcom[.]top | |
wvw-basecamp-us[.]com | |
wvw-docker-us[.]com | |
wvw-microsofteams[.]top | |
wvw-mlcrosofteams[.]top | |
vwv-adobe[.]top | |
mlcrosofteams[.]top | |
www-docker[.]top | |
www-teamviewer[.]top | |
wvw-slack-us[.]com | |
wvwslack[.]top | |
wvw-teanviwer-us[.]com | |
wvw-webex-us[.]com |
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.